Chef Summit London: InSpec Keynote

Transcript

1. None

2. Christoph Hartmann Alex Pop Co-Creator InSpec, Engineering Director Twitter: @chri_hartmann

   Github: chris-rock Software Engineer Twitter: @al3xpop Github: alexpop

3. InSpec Updates Alex Pop & Christoph Hartmann

4. Agenda • InSpec Overview • Project Community Update • Demo

   1: Profile and Control Improvements • Demo 2: Extensions and Integrations • InSpec Outlook • Q & A

5. InSpec Overview • Show of hands • Open-source framework with:

   ◦ a simple language to describe tests ◦ local & remote execution engine ◦ flexible reporting • Used primarily for infrastructure and compliance testing

6. Audience DevOps Security Compliance

7. DevOps

8. Security Heartbleed Shellshock WannaCry

9. Mapping of Compliance Document to InSpec

10. InSpec Achievements

11. None

12. InSpec Timeline Initial Version April 9th, 2015 November 3th 2015

    InSpec 0.9 September 26th 2016 InSpec 1.0 February 20th 2018 InSpec 2.0

13. Project Health 207 Contributors 36 days issue resolution time 626

    total releases (one per week)

14. Project Health (Commits per Week)

15. Project Health (Stargazers)

16. Operating System Support Amazon Linux CentOS HP UX IBM AIX

    RHEL SLES Ubuntu Windows Debian Cisco IOS

17. Cloud Platform Support • Integrated in Azure Shell, Part of

    Azure Policy's Guest Configuration • Integrated into AWS EC2 Run Command • InSpec integrates with PowerClI

18. Platform Resources are managed in Resource Packs Profile 1 Profile

    2 Resource Pack • Resource improvements are managed independently from InSpec’s runtime • Easier to support new platforms • Makes management of runtime independent from the the user of the runtime

19. New: Support for Google Cloud Platform github: inspec/inspec-gcp

20. InSpec helps to shift security concerns to the left Compliance

    DevOps

21. InSpec 3 :shipit:

22. Demo: Profile & Control Improvements

23. InSpec’s Extension Mechanism (Current) My CIS L1 (inspec overlay) CIS

    Lvl1 (inspec) DevSec Windows Patch Baseline DevSec Linux Baseline DevSec Windows Baseline DevSec Linux Patch Baseline Profile 1 Profile 2 Resource Pack Profile Inheritance Wrapper Profiles Resource Packs

24. InSpec’s Extension Mechanism Provisioning Verification

25. InSpec’s Extension Mechanism CLI and Platform Plugins Terraform Provisioner Plugin

    terraform plugin github: inspec/terraform-provisioner-inspec inspec terraform cli plugin github: inspec/inspec-iggy

26. • Digitalocean Resource Pack • Digitialocean Platform Plugin Digitalocean Extensions

    for InSpec

27. Demo 2 Extensions & Integrations

28. InSpec’s Extension Mechanism Provisioning Verification

29. InSpec Wrap-up • Improvements for advanced profile handling, scalability and

    easier profile editing • Improved reporting for aggregated profiles • Extended cloud resources • Google Cloud and Digitalocean resource pack • Improved Terraform InSpec integration

30. InSpec Outlook • Priorities are based on issues and community

    feedback • Identified areas for improvement ◦ Simplified usage of resource packs ◦ Improved resource lifecycle handling (alpha, stable, deprecated) ◦ Ensure consistent behaviour for unavailable resources ◦ Improve profile inheritance with namespaced attributes ◦ Centralized deprecation behavior across inspec

31. OpenSource Resources inspec.io • Hands on tutorials • Extensive documentation

    • Code examples dev-sec.io • Chef Cookbooks • InSpec Baselines

32. Chef Automate ships with over 100 CIS Profiles

33. Q & A

34. References

35. Appendix

36. Plugins • Support for InSpec CLI and Platform plugins ◦

    CLI https://github.com/inspec/inspec-iggy ◦ Backend https://github.com/inspec/train-digitalocean • Resource Packs for Platforms ◦ https://github.com/chris-rock/inspec-digitalocean • See https://github.com/inspec/inspec/issues/3089 for more details

37. Unified attributes (1/2) Instead of re-defining InSpec attributes in each

    test file: --> control1.rb user = attribute('user', default: 'alice', description: '...') ... --> control2.rb user = attribute('user', default: 'alice', description: '...')

38. Unified attributes (2/2) Attributes are defined in the inspec.yml: attributes:

    - name: user default: alice required: true See https://github.com/inspec/inspec/issues/3176

39. Skip overhaul • "Skip" is currently used to identify cases

    where a control cannot run: ◦ The user doesn't want it to run when inheriting the profile Example: Use your colleague's AWS profile but skip all controls that test S3. ◦ The control isn't run when certain conditions are met. For example don't test MySQL if it isn't installed. ◦ A control is skipped if it uses resources that are not supported on the target system. For example looking for a "package" when testing an API. • See https://github.com/inspec/inspec/issues/3158 for more details

40. Severity Prior to InSpec 3, severity was a numerical value

    that is implicitly scaled as: 0.0 Informational <0.4 Minor controls <0.7 Major controls <=1.0 Critical controls We can now be more descriptive and use the CVSS values: low, medium, high, critical See https://github.com/inspec/inspec/issues/562 control 'one' do impact 1.0 control 'one' do impact 'critical'

41. Multiple description types (1/2) We often see descriptions like the

    following in our controls: desc ' This is a very long description. Rational: Why we do this… Fixtext: How to fix it… ' This doesn’t expose the context of the description, e.g. the “rational” or “fixtext”.

42. Multiple description types (2/2) By using an identifier for the

    descriptions, users can provide more context: desc ' This is a very long description. ' desc 'rational': 'Why we do this...' desc 'fixtext' : 'How to fix it...' See https://github.com/inspec/inspec/issues/1695